smartphones and security

With all the news lately about smartphones becoming the new frontier for phishing and spamming and viruses and trojans and ransomware and all that, how do you protect yourself from this crap? They're finding new and ever more vicious stuff all the time that the major antivirus companies can't detect on PCs, and I have no idea if they're taking seriously the threat posed to the smartphone industry. How do you keep your phone secured from these things? What phones are most and least susceptible?

Frex, the current phone I have now doesn't properly "lock" (as in protect itself with the need to enter some sort of passcode to use it, preferably after a few seconds of inactivity) unless I turn it off, at which point it becomes useless. It has a "vault" in which I can store a few small strings of numbers like PINs, but no way to protect my phone contacts, texts, messages, photos, or anything else if I should happen to drop it. (Unless the battery runs out and it turns off.)

I'm also not a big fan of great big, easily scratched displays that retain my greasy finger swipes and are too big to fit in any normal sized pocket.

How do I keep my phone's contents somewhat secure? How do I keep that several-hundred-dollar investment from being turned into a useless piece of plastic by some random hacker wannabe? How do I keep someone from reading the little 8G card by simply removing it from the phone?

Is there an article (or series) about this kind of thing coming up? Seems like every other day we get a warning that the sky is falling, but not a single clue what we should be doing about it other than cowering and praying.

Every Android phone can be locked with a PIN, or a pattern (after a timeout, or on-demand by pushing the power button), and every Android has an "encrypt" option that encrypts all of your data, including the SD card.

See? That's the point. What constitutes a better phone? Am I supposed to try out HUNDREDS of them just to have some idea what I should expect?

Frex = for example. All the cool kids are saying it.

Frex = stupid, for the record.

And for decent phones, you have to stay with these manufacturers:

Motorola - the Razrs are the best phones available right now, in my opinion.Apple- iPhones are still nice, though limiting.

That's it. Yes, I'm leaving out Samsung (TouchWiz is too horrible) and Nokia (Windows phones are too...pointless). I suppose you could always get an "official" Nexus phone from Google, too. Those are always pretty nice.

Ok, that's some help. Now if only I could trust the words of someone who doesn't understand the value of words like frex.

These are of course your opinions, presumably boiled down after a lot of experience. However, your opinions might not match mine. Your needs might not match mine. There was just a huge story on hacking Androids. Does that invalidate what you just said about them, or does it prove there is no such thing as a modicum of safety/security?

There JUST was an article on Ars about targeted malware on Android. Something a PIN on the lockscreen won't protect you from. This is a worthwhile discussion, IMO, and you can't trivialize it away by saying "Android's had PIN protection for the last 5 years". Malware is still an issue, presumably even for a curated app store like Apple's.

Security is what you make of it. If you go around installing random apps without looking at what permissions they want, you're putting yourself at greater risk. If you use an Android phone from a vendor with a history of introducing security flaws, you're putting yourself at greater risk.

Encrypt your device and look at what apps want access to before you install them. Or better yet, don't install apps at all unless you absolutely need them.

Security is what you make of it. If you go around installing random apps without looking at what permissions they want, you're putting yourself at greater risk. If you use an Android phone from a vendor with a history of introducing security flaws, you're putting yourself at greater risk.

Encrypt your device and look at what apps want access to before you install them. Or better yet, don't install apps at all unless you absolutely need them.

This. Totally, and unabashedly this.

Security is one thing, but simply relying on OOB security is another thing. I know that manufacturers aren't taking great strides to properly make their phones secure - they are mostly relying on Google's own security in the OS. People like Samsung have taken it a little bit further by having a "Find My Phone" type security feature in TouchWiz that allows you to track the location of your phone from your Samsung account; I think you can also perform a remote device wipe. I'm willing to be LG, Motorola and HTC have taken similar measures.

Then there are the plethora of "security" apps out there that promise to be able to do the same thing. I don't know for sure if they really do perform reliably as they say their marketing departments say, but let's assume that they do.

Finally, for users who have Activesync going on their devices - and depending on how the email admins have configured the exchange server mobile device policies - you can do a full remote device wipe from within your Exchange account. I know for a fact that our Exchange server policies allow us to wipe just email, wipe all sync'd Exchange data, or wipe the entire phone ("entire phone" being whatever storage devices your physical hardware detects; this might not include microSD card depending on certain hardware factors).

These are all last resort actions that you shouldn't have to consider if you took your device security seriously. Of course, you can't avoid people breaking into your car/house and stealing your tablet or smartphone, but you can at least take due diligence to encrypt your storage, read the app's permissions when installing/updating, and taking action on your own to make sure that your PIN isn't your own damn phone number or "9999"/"1111" because they're the easiest buttons to hit on the keypad. Youd be surprised at how many times I've been able to unlock a colleague's PIN protected phone because their PIN was the last 4/5 digits of their home phone or mobile phone.

Good, some of you are starting to get that this isn't a simple issue. When I asked my original respondent, "what constitutes better" I meant that directly, as in, how is the phrase "better phone" supposed to be defined so we're all on the same page? Obviously, there's a lot of subjectivity. The tone of my original question should have led the reader to consider things like security and convenience to be "better", though again we have subjective terminology here which requires more explanation to get the clearest meaning across.

I know pretty much nothing of the modern offerings. I got my phone just as the smartphone hysteria started. Mine isn't one. For the most part, I didn't think I wanted one. But the new wave seems to be integrating a lot of computer features into phones, and I know there's tons of problems with computers viruses and security, and recent articles have focused on the same thing happening to phones.

For the person who doesn't HAVE a smartphone but is thinking of getting one, what are the concerns to be aware of? When you say this or that software publisher shouldn't be trusted with this or that level of access, well, it's obviously clear as mud to the uninitiated. I only just used a tablet for a couple hours within the past month for the first time.

I want to know if the tech has caught up enough that it would be worth my while to get it, and as I can't lay out exactly what my priorities and needs are (because I don't know what they are) I have to do the best I can to get someone knowledgeable to clue me in. I can't ask the right questions until I learn what questions to ask.

I like Apple's approach to privacy (which is intertwined with security, IMO). You can revoke access on a per app, per entitlement basis. Android shows MORE permissions that an app requests at install time, but it's an all or nothing thing. If you don't like one of the entitlements that app is asking for, you have no choices other than to suck it up, or to not install. With the Apple model, not all the entitlements that the app asks for are listed, but you can revoke, say, access to the calendar, while still allowing access to location services.

That said, my iOS device has practically no personal information on it, whereas my Android device is chock full of personal goodies. Like other posters have said, you have to do your due diligence in researching apps that you are about to install. Android thankfully uses fairly plain English in describing what the permissions entail.

I meant that directly, as in, how is the phrase "better phone" supposed to be defined so we're all on the same page? Obviously, there's a lot of subjectivity

Much too broad a stroke there, eh?

In a software context, it's anything running a modern OS. Android 4.x or iOS 6.x or later. In the case of iOS devices, that means iPhone 4 or later. In the case of Android, that's much more complicated due to the massive amount of devices made available, but sticking with any of the more popular phones as I listed in my first response above should generally keep you current.

From a hardware context, again as I listed above, there are differences, but that gets very subjective.

Even software-wise, as molo's highly-opinionated posts always show, there are additional details, but that's about broad as I am willing to paint.

Quote:

r the person who doesn't HAVE a smartphone but is thinking of getting one, what are the concerns to be aware of?

Run antivirus from a major vendor on your mobile device (Lookout, AVG, Avast...). Only download apps from major publishers from trusted sources (that would be directly from the Play Store, for Android, or the App Store, for iOS). Don't click on suspicious links or e-mails.

Much is the same behaviour as smart use of a computer. Heck much of it is almost identical.

Quote:

I want to know if the tech has caught up enough that it would be worth my while to get it, and as I can't lay out exactly what my priorities and needs are (because I don't know what they are) I have to do the best I can to get someone knowledgeable to clue me in. I can't ask the right questions until I learn what questions to ask.

You're both making it more simple and more complicated.

Worth your while to get-- well, why do you want one is perhaps the most salient question. (if you can't think of why, then don't get one. Simple answer! ).

Tablets and smartphones by all means are primarily consumers of content. Their small screens and lack of a physical keyboard makes creating content (writing long e-mails, posts on Ars Technica, etc.) less comfortable than a computer with an actual keyboard. Slow processors and limited storage space further reinforce this.

So if you want a portable device to consume content (surf the internet, play games, watch Youtube videos), a tablet or smartphone might be great. If you don't care about any of these things, then you might want to reconsider.

The rest of the details listed above are all largely the same between tablets and phones and have already been addressed in your thread. If you want more specific details and recommendations on what you think might be better, or at least better for your needs, you'll probably want to go to the Apple store or the Microsoft Store or Best Buy or whatnot and play with a few tablets for a while to get an idea on what form factor you prefer, which OS you prefer, and what price point you are comfortable with.

Your three wants/desires may not be compatible in the end, but as it is, we can only give you the most generic recommendations at the moment, and a collection of unfocused opinions that may or may not be useful.

Good, some of you are starting to get that this isn't a simple issue. When I asked my original respondent, "what constitutes better" I meant that directly, as in, how is the phrase "better phone" supposed to be defined so we're all on the same page? Obviously, there's a lot of subjectivity. The tone of my original question should have led the reader to consider things like security and convenience to be "better", though again we have subjective terminology here which requires more explanation to get the clearest meaning across.

I know pretty much nothing of the modern offerings. I got my phone just as the smartphone hysteria started. Mine isn't one. For the most part, I didn't think I wanted one. But the new wave seems to be integrating a lot of computer features into phones, and I know there's tons of problems with computers viruses and security, and recent articles have focused on the same thing happening to phones.

For the person who doesn't HAVE a smartphone but is thinking of getting one, what are the concerns to be aware of? When you say this or that software publisher shouldn't be trusted with this or that level of access, well, it's obviously clear as mud to the uninitiated. I only just used a tablet for a couple hours within the past month for the first time.

I want to know if the tech has caught up enough that it would be worth my while to get it, and as I can't lay out exactly what my priorities and needs are (because I don't know what they are) I have to do the best I can to get someone knowledgeable to clue me in. I can't ask the right questions until I learn what questions to ask.

Does that make more sense?

(emphasis added by me). Your sentence there makes it seem like you think YOU are educating US on security issues with smartphones. I think it's poor form to act superior to the people you are asking for help.

Good, some of you are starting to get that this isn't a simple issue. When I asked my original respondent, "what constitutes better" I meant that directly, as in, how is the phrase "better phone" supposed to be defined so we're all on the same page? Obviously, there's a lot of subjectivity. The tone of my original question should have led the reader to consider things like security and convenience to be "better", though again we have subjective terminology here which requires more explanation to get the clearest meaning across.

I know pretty much nothing of the modern offerings. I got my phone just as the smartphone hysteria started. Mine isn't one. For the most part, I didn't think I wanted one. But the new wave seems to be integrating a lot of computer features into phones, and I know there's tons of problems with computers viruses and security, and recent articles have focused on the same thing happening to phones.

For the person who doesn't HAVE a smartphone but is thinking of getting one, what are the concerns to be aware of? When you say this or that software publisher shouldn't be trusted with this or that level of access, well, it's obviously clear as mud to the uninitiated. I only just used a tablet for a couple hours within the past month for the first time.

I want to know if the tech has caught up enough that it would be worth my while to get it, and as I can't lay out exactly what my priorities and needs are (because I don't know what they are) I have to do the best I can to get someone knowledgeable to clue me in. I can't ask the right questions until I learn what questions to ask.

Does that make more sense?

(emphasis added by me). Your sentence there makes it seem like you think YOU are educating US on security issues with smartphones. I think it's poor form to act superior to the people you are asking for help.

Speaking of poor form, what if I jumped into a conversation in which I had no clue what was being discussed, projected my own feelings of insecurity on the participants, and made several complaints which didn't really have any bearing on reality, much less the topic at hand? Would I outdo myself if I did that, or would that make me too much of an overachiever?

It was quite obvious to several other posters that the issue of which I was speaking was about how someone looking at buying their first smartphone could get at the right questions to ask, and had nothing whatsoever with teaching security experts how to do their job. I know this because the quality of the answers increased as we worked together to help each other gain a mutual understanding of the concerns. I obviously needed help in understanding things and needed to make clear my level of knowledge on the topic was only slightly above that of the average bear, so that the answers given would be more meaningful. I think we had some success.

And I would still like to see some kind of article about this. What does a first timer need to know? What should he look for if he's concerned with security? With watching videos? With doing office chores? With admining a server/site remotely? With playing Angry Birds? With... I dunno, what else do people use their phones for? Surely there's a know-it-all just dying to share it all with us, right? A beginner's guide to smart phones?

Anyway, thanks to everyone for the help. Still interested to read any additional input so I can ask better questions next time.

as quite obvious to several other posters that the issue of which I was speaking was about how someone looking at buying their first smartphone could get at the right questions to ask, and had nothing whatsoever with teaching security experts how to do their job.

That wasn't clear at all to me, if it helps-- especially after the first two paragraphs which made very little sense and seemed to express some basic misunderstanding of security lock-screens and whatnot, without elaborating at all on what exact hardware you had (which might be important!)... By the time your last two paragraphs came up I think you'd already offended much of your audience.

See? It took me that long to figure out what questions to ask and how to ask them.

Thanks for the links.

If people choose to project hatefulness within themselves onto me to be offended about, there's not a whole lot I can do about that except expose it and hope they're smart enough to figure out it's not actually me or anything I did they're angry at. Now and then, some do.

See? It took me that long to figure out what questions to ask and how to ask them.

Thanks for the links.

If people choose to project hatefulness within themselves onto me to be offended about, there's not a whole lot I can do about that except expose it and hope they're smart enough to figure out it's not actually me or anything I did they're angry at. Now and then, some do.

Angry? Not at all. We're all just electrons to each other, so why be angry? I was exposing the shittiness of your post, and THAT is the reason why you were getting as you call it "poor quality responses". Your questions are good, but you need to do a better job of posting.

Oh, and there's no point in trying to act like a zen master. Instead of trying to avoid taking criticism, you should focus on what YOU could do better next time to write more clearly, and to use better word choices.

Even people who are answering your questions are trying to gently tell you to write more clearly, and to communicate better.

You must not have read what I wrote, because I pretty much said that quite a few times. You even quoted me saying it. Maybe you should take some of your own advice about not trying to prove you're a zen master or something?

Ok, that's some help. Now if only I could trust the words of someone who doesn't understand the value of words like frex.

These are of course your opinions, presumably boiled down after a lot of experience. However, your opinions might not match mine. Your needs might not match mine. There was just a huge story on hacking Androids. Does that invalidate what you just said about them, or does it prove there is no such thing as a modicum of safety/security?

This sounds like a job for a major article on a major website.

If you can't trust someone who writes the OS and makes the phone, you literally cannot trust anyone else.

This means only the iPhone, Blackberry, and Nexus brands are the only ones who can be held accountable for their devices, SW updates, and security.

Razrs cannot be trusted despite being ostensibly owned by Google because they cannot get timely OS updates. Even the Verizon Nexus was hobbled by Verizon.

iPhones have the best update track record bar none, Blackberry the best security track record, and if you have to get Android, Nexus the best update record second only to the iPhone.

Good, some of you are starting to get that this isn't a simple issue. When I asked my original respondent, "what constitutes better" I meant that directly, as in, how is the phrase "better phone" supposed to be defined so we're all on the same page? Obviously, there's a lot of subjectivity. The tone of my original question should have led the reader to consider things like security and convenience to be "better", though again we have subjective terminology here which requires more explanation to get the clearest meaning across.

Of course this is a simple issue.

The better phone is the one that works the best, for you. Since you are ignorant, as you state in your next sentence, then the problem is that you are the one lacking context. Frex doesn't make you in the forefront, it just means you're fronting.

Quote:

I know pretty much nothing of the modern offerings. I got my phone just as the smartphone hysteria started. Mine isn't one. For the most part, I didn't think I wanted one. But the new wave seems to be integrating a lot of computer features into phones, and I know there's tons of problems with computers viruses and security, and recent articles have focused on the same thing happening to phones.

I posted already, but let me reiterate. If you care about viruses and security, you need to get a phone from someone who will update quickly and reliably, and you need to get a phone that has a safe ecosystem, and you need to get a phone that has security minded features.

Quote:

For the person who doesn't HAVE a smartphone but is thinking of getting one, what are the concerns to be aware of? When you say this or that software publisher shouldn't be trusted with this or that level of access, well, it's obviously clear as mud to the uninitiated. I only just used a tablet for a couple hours within the past month for the first time.

This should have been your first post question.

Quote:

I want to know if the tech has caught up enough that it would be worth my while to get it, and as I can't lay out exactly what my priorities and needs are (because I don't know what they are) I have to do the best I can to get someone knowledgeable to clue me in. I can't ask the right questions until I learn what questions to ask.

Does that make more sense?

Yes.

Get an iPhone. Apple gatekeeps it's app store, unlike Google. Apple pushes updates quickly and reliably and for an average of 3 years. The Nexus record I believe is 19 months, less than 2/3 of Apple's record. The Apple App Store also has the best selection of apps, despite being policed, so you won't miss out on that front. Google's App Store has hosted malware repeatedly for the past several years, in no small part because they don't gatekeep the entries; I believe only a single, experimental, piece of malware got into the Apple Store while hundreds a year get into Google's Store.

The problem with the Google Store is that because admission is automatic, a bad piece of code can be programatically inserted into thousands of apps and uploaded using multiple accounts and they will all get in, until Google's scanner can detect it.

For the days, weeks, or months that those apps are available however, more apps can be uploaded, until they all get flushed.... Only to be repeated again a couple months later with different code.

If you care about security more, then Blackberry has a good track record, with the only caveat being that the BB10 OS is literally only months old (and therefore with zero track record itself), while the older BB7 devices are literally 3 years old. You're probably safe on the BB7 because no one will care to target it (security via obscurity) on top of BB7 having an excellent security track record. Yeah, it took BB three years to release BB10 because they were pretty far behind iOS and Android on usability, convenience, performance, design, and features.

Yeah, that does nothing to negate my point which is that new words are added to the lexicon all the time. What you just wrote actually supports my point, so, yep, picking nits for the sake of nitpicking. Seriously, I don't know why EVERYTHING on the Internet needs to be an argument.

PS last I checked, homonyms are considered words in their own right, not just "reused" words

Lumia 800 won't be getting WP8, and it was less than a year old. After it gets WP7.8, will there be a WP7.9?

At 40 months old the iPhone 3GS still got iOS 6. At 45 months it got iOS 6.1.3 for security issues! How many months are you going to claim your Lumia phone will get updates?

The version number is irrelevant. iPhone 3GS never got Siri or other features, and neither did the iPhone 4. Microsoft could have called 7.8 WP8 on the older devices and not included newer features as well. The "security updates" for 6.1.3 were to fix the lockscreen and other shit that Apple broke in previous 6.x releases. I wouldn't be too worried about malware on WP7 devices purely because of the low marketshare.

Lumia 800 won't be getting WP8, and it was less than a year old. After it gets WP7.8, will there be a WP7.9?

At 40 months old the iPhone 3GS still got iOS 6. At 45 months it got iOS 6.1.3 for security issues! How many months are you going to claim your Lumia phone will get updates?

The version number is irrelevant. iPhone 3GS never got Siri or other features, and neither did the iPhone 4. Microsoft could have called 7.8 WP8 on the older devices and not included newer features as well. The "security updates" for 6.1.3 were to fix the lockscreen and other shit that Apple broke in previous 6.x releases. I wouldn't be too worried about malware on WP7 devices purely because of the low marketshare.

It's completely relevant because the APIs for the new apps were all there. 3GS users can run all of the new apps. WP7.8 is a dead-end. Apps are not backward compatible in most cases, especially games.

Never even thought of getting an antivirus for my Palm Pre. And now I can't as the Pre apps store has long been defunct. Then again, this OS might be 'safe by obscurity', like Apple computers used to be.